In a letter Wednesday to Sebelius, he accused the secretary of making false statements on several points based on what he characterized as contradictory testimony by the agency’s security testing contractors and CMS’s chief information security officer, Theresa Fryer.

Issa wrote that Sebelius misrepresented that the contractor MITRE was conducting ongoing security testing on HealthCare.gov and that it had not flagged security risks before the website’s launch. He also wrote that the company said it was not asked whether the launch should proceed, while Sebelius testified that it “had made recommendations to CMS, as is required.”

“Providing false or misleading testimony to Congress is a serious matter,” Issa wrote, and asked Sebelius to “correct the record.”

In a statement, HHS said the agency would respond to the letter and reiterated — as officials have in prior testimony — that all the elements of HealthCare.gov that are live comply with Federal Information Security Management Act standards. “There have been no successful security attacks on Healthcare.gov and no person or group has maliciously accessed personally identifiable information,” the statement said. “An independent security control assessor tested each piece of the Healthcare.gov system that went live October 1 prior to that date with no open high findings” – meaning highest risk problems.